-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test for internal TLS certificate rotation #15217
Test for internal TLS certificate rotation #15217
Conversation
/hold |
/unhold |
The test fails with:
@ReToCode I suppose the certificates might not be properly reloaded yet after deleting the |
The test passed when I added waiting for ca.crt in routing-serving-certs. Will try again during reviews. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good stuff, commented inline. I'm not sure about the error - could be anything IMHO and would need debugging to see where the 503 actually comes from. Probably not deleting the secret could be a start, though.
d20e8fa
to
b26a59d
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #15217 +/- ##
==========================================
- Coverage 84.78% 84.74% -0.04%
==========================================
Files 218 218
Lines 13479 13479
==========================================
- Hits 11428 11423 -5
- Misses 1685 1687 +2
- Partials 366 369 +3 ☔ View full report in Codecov by Sentry. |
@ReToCode this is ready for another review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/override "style / suggester / shell" |
@ReToCode: ReToCode unauthorized: /override is restricted to Repo administrators. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@dprotaso mind overriding the shell-check? IMHO, this should be in a separate PR, as only the time changed in this one. |
The original intention was to skip the cleanup only when the test fail, not always. This was missed in the original PR that introduced the flag.
This is to properly expand the variables when passing to tests and to pass shellcheck.
f79af1d
to
7e3df10
Compare
/lgtm |
@ReToCode Hmm. The latest error looks genuine:
So, after deleting the old cert from the trust-bundle there's an error with TLS. Any idea why this could happen? |
+1, yes that could take a while to fully complete. Makes not much sense to wait for that in an e2e test. |
The cert rotation might not be fully complete yet. This also adds a little randomness to the test.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mgencur, ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
IMHO, we can skip certmanager-integration-tests_serving_main, as per #15261 |
/override "certmanager-integration-tests_serving_main" |
@dprotaso: Overrode contexts on behalf of dprotaso: certmanager-integration-tests_serving_main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@mgencur: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
* TestTLSCertificateRotation * Use SkipCleanupOnFail only when the test fails The original intention was to skip the cleanup only when the test fail, not always. This was missed in the original PR that introduced the flag. * Use default poll interval and timeout * Fix lint * Make function GetCASecret return the secret also for internal encryption * Move WaitForLog to e2e package to prevent "redefined flag" * Wait for 2 occurrences of cert reload It is loaded at the beginning and then after re-creating the serving-certs secret during the test. * Increase timeout for systeminternaltls tests to 4m * Wait for CA cert to be re-created in routing-serving-certs before checking state * The test usually takes around 120 seconds * Rename waitForCaCert to waitForCACertSecret * Fix lint * Use new ClusterIssuer for testing certificate rotation Also, do not rely on ca.crt to be in routing-serving-certs. We rely solely on the trust-bundle ConfigMap. * Actually rename the new issuer * Run ./hack/update-codegen.sh * Create const for name of renewed issuer * Fixes * Update test * Revert "Use new ClusterIssuer for testing certificate rotation" * Fix lint and deps * Use arrays for GO_TEST_FLAGS and E2E_TEST_FLAGS This is to properly expand the variables when passing to tests and to pass shellcheck. * One more fix for shellcheck * Add missing bracket * Do NOT delete old cert from trust-bundle ConfigMap The cert rotation might not be fully complete yet. This also adds a little randomness to the test. (cherry picked from commit b15ce9a)
* TestTLSCertificateRotation * Use SkipCleanupOnFail only when the test fails The original intention was to skip the cleanup only when the test fail, not always. This was missed in the original PR that introduced the flag. * Use default poll interval and timeout * Fix lint * Make function GetCASecret return the secret also for internal encryption * Move WaitForLog to e2e package to prevent "redefined flag" * Wait for 2 occurrences of cert reload It is loaded at the beginning and then after re-creating the serving-certs secret during the test. * Increase timeout for systeminternaltls tests to 4m * Wait for CA cert to be re-created in routing-serving-certs before checking state * The test usually takes around 120 seconds * Rename waitForCaCert to waitForCACertSecret * Fix lint * Use new ClusterIssuer for testing certificate rotation Also, do not rely on ca.crt to be in routing-serving-certs. We rely solely on the trust-bundle ConfigMap. * Actually rename the new issuer * Run ./hack/update-codegen.sh * Create const for name of renewed issuer * Fixes * Update test * Revert "Use new ClusterIssuer for testing certificate rotation" * Fix lint and deps * Use arrays for GO_TEST_FLAGS and E2E_TEST_FLAGS This is to properly expand the variables when passing to tests and to pass shellcheck. * One more fix for shellcheck * Add missing bracket * Do NOT delete old cert from trust-bundle ConfigMap The cert rotation might not be fully complete yet. This also adds a little randomness to the test. (cherry picked from commit b15ce9a) Co-authored-by: Martin Gencur <mgencur@redhat.com>
Add test for TLS certificate rotation
Proposed Changes
scanPodLogs
as a more versatileWaitForLog
that can wait for a given condition.ServingFlags.SkipCleanupOnFail
. The cleanup should really be skipped only if the test fails. This was missed during reviews on the original PRgetCertManagerCA
now also waits for the Secret to exist rather than failing immediatelyRelease Note